Authentication versus authorization: What’s the difference?

Authentication and authorization are related but distinct processes in an organization’s identity and access management (IAM) system. Authentication verifies a user’s identity. Authorization gives the user the right level of access to system resources.

The authentication process relies on credentials, such as passwords or fingerprint scans, that users present to prove they are who they claim to be. The authorization process uses user permissions to define what each user can do within a particular resource or network. For example, permissions in a file system might dictate whether a user can create, read, update or delete files.

Authentication and authorization processes apply to both human and nonhuman users, such as devices, automated workloads and web apps. A single IAM system might perform both authentication and authorization or separate systems might perform the two processes in concert. Authentication is usually a prerequisite for authorization. A system must know who a user is before it can grant that user access to anything.

Identity-based attacks, in which hackers hijack valid user accounts and abuse their access rights, are on the rise. According to the IBM X-Force® Threat Intelligence Index, these attacks are one of the most common ways that threat actors sneak into networks, accounting for 30% of all cyberattacks.

Authentication and authorization work together to enforce secure access controls and thwart data breaches. Strong authentication processes make it harder for hackers to take over user accounts. Strong authorization limits the damage hackers can do with those accounts.

Authentication, sometimes abbreviated as “authn,” is based on the exchange of user credentials, also called authentication factors. Authentication factors are pieces of evidence that prove the identity of a user.

When a user registers with a system for the first time, they establish a set of authentication factors. When the user logs in, they present these factors. The system checks the presented factors against the factors on file. If they match, the system trusts that the user is who they claim to be.

Common types of authentication factors include:

• Knowledge factors: Something only the user knows, such as a password, PIN or the answer to a security question.
  
• Possession factors: Something the user possesses, such as a one‑time PIN or a physical security token.
  
• Inherent factors: Biometrics, such as facial recognition and fingerprint scans.

Individual apps and resources can have their own authentication systems. Many organizations use one integrated system, such as a single sign-on (SSO) solution, where users can authenticate once to access multiple resources in a secure domain.

Common authentication standards include Security Assertion Markup Language (SAML) and OpenID Connect (OIDC). SAML uses XML messages to share authentication information between systems, while OIDC uses JSON Web Tokens (JWTs) called “ID tokens.”

• Single-factor authentication (SFA) requires one authentication factor to prove a user’s identity. Supplying a username and password to log in to a social media site is a typical example of SFA.

• Multifactor authentication (MFA) requires at least two authentication factors of two different types, such as a password (knowledge factor) and a fingerprint scan (inherent factor).

• Two-factor authentication (2FA) is a specific type of MFA that requires exactly two factors. Most internet users have experienced 2FA, such as when a banking app requires both a password and a one-time code sent to the user’s phone.

• Passwordless authentication methods do not use passwords, or any knowledge factors for that matter. Passwordless systems have become popular as a defense against credential thieves, who target knowledge factors because they’re the easiest to steal.

• Adaptive authentication systems use artificial intelligence and machine learning to adjust authentication requirements based on how risky a user’s behavior is. For example, a user trying to access confidential data might need to supply multiple authentication factors before the system verifies them.

Learn how IBM’s identity and security experts can help streamline IAM efforts, manage solutions across hybrid cloud environments and transform governance workflows.

• Using a fingerprint scan and PIN code to unlock a smartphone.
• Presenting ID to open a new bank account.
• Having a web browser verify that a website is legitimate by checking its digital certificate.
• Having an app verify itself to an application programming interface (API) by including its secret key in every call.

Authorization, sometimes abbreviated as “authz,” is based on user permissions. Permissions are policies that detail what a user can access and what they can do with that access in a system.

Administrators and security leaders typically define user permissions, and authorization systems enforce them. When a user attempts to access a resource or perform an action, the authorization system checks their permissions before allowing them to proceed.

Consider a sensitive database containing customer records. Authorization determines whether a user can even see this database. If they can, authorization also determines what they can do within the database. Can they just read entries, or can they also create, delete and update entries?

OAuth 2.0, which uses access tokens to delegate permissions to users, is one example of a common authorization protocol. OAuth allows apps to share data with each other. For example, OAuth enables a social media site to scan a user’s email contacts for people the user might know—provided the user consents.

• Role-based access control (RBAC) methods determine user access permissions based on their roles. For example, a junior-level security analyst might be able to view firewall configurations but not change them, while the head of network security might have full administrative access.

• Attribute-based access control (ABAC) methods use the attributes of users, objects and actions—such as a user’s name, a resource’s type and the time of day—to determine access levels. When a user tries to access a resource, an ABAC system analyzes all the relevant attributes and only grants access if they meet certain predefined criteria. For example, in an ABAC system, users might be able to access sensitive data only during work hours and only if they hold a certain level of seniority.

• Mandatory access control (MAC) systems enforce centrally defined access control policies across all users. MAC systems are less granular than RBAC and ABAC, and access is typically based on set clearance levels or trust scores. Many operating systems use MAC to control program access to sensitive system resources.

• Discretionary access control (DAC) systems enable the owners of resources to set their own access control rules for those resources. DAC is more flexible than the blanket policies of MAC.

• A user logs in to their email account and sees only their own messages and they are not authorized to view anyone else’s.
• A provider accesses a healthcare records system and views only the patient data for which the patient has explicitly given consent.
• A user creates a document in a shared file system and sets its permissions to “read only,” allowing others to view it but not edit it.
• An operating system blocks an unknown program from changing system settings.

User authentication and authorization play complementary roles in protecting sensitive information and network resources from insider threats and external attackers. In short, authentication helps organizations defend user accounts, while authorization helps defend the systems those accounts can access.

Comprehensive identity and access management (IAM) systems help track user activity, block unauthorized access to network assets and enforce granular permissions so that only the right users can access the right resources.

Authentication and authorization address two critical questions that organizations need to answer to enforce meaningful access controls: 

• Who are you? (Authentication)
  
• What are you allowed to do in this system? (Authorization)

An organization needs to know who a user is before it can enable the right level of access. For example, when a network administrator logs in, that user must prove that they are an admin by supplying the right authentication factors. Only then will the IAM system authorize the user to perform administrative actions such as adding and removing other users.

As organizational security controls grow more effective, more attackers are getting around them by stealing user accounts and abusing their privileges to wreak havoc. These attacks are easy for cybercriminals to pull off. Hackers can crack passwords through brute-force attacks, use information stealer malware or buy credentials from other hackers. 

Phishing is another common credential theft tactic, and generative AI tools now enable hackers to develop more effective phishing attacks in less time.

While they might be seen as basic security measures, authentication and authorization are important defenses against identity theft and account abuse, including AI-powered attacks.

Authentication can make it harder to steal accounts by replacing or reinforcing passwords with other factors that are more difficult to crack, such as biometrics.

Granular authorization systems can curtail lateral movement by restricting user privileges to solely the resources and actions they need. This approach helps limit the damage that both malicious hackers and insider threats can do by misusing access rights.